This article is written by Kanika Arora of 4th Semester of Delhi Metropolitan Education
Abstract
The number and importance of biometric data provided by fingerprints, hand shape, heart rate, voice patterns, facial features and expressions, brain activity, and body movement have both increased. Surprisingly, the enormous potential of biometric data as well as the myriad risks associated with its collection and use have received little attention in academic business literature. This article aims to (1) explain what biometric data is and how it can be used, (2) outline the advantages of using biometric data in different business applications, (3) discuss difficulties in collecting and using biometric data, privacy and security concerns, storage and safety issues, and the potential for increased biases, and (4) suggest related research directions.
Keywords: Fingerprints, Brain Activity, Privacy, Safety issues, Facial Features.
Introduction
In a world of anytime, anywhere convenience is become more prevalent thanks to developing technologies and rising internet usage. Nowadays, a lot of apps employ biometric authentication to increase the security of their apps or devices, such as fingerprint scanning or facial recognition. To authenticate the transaction when making a purchase, accessing a mobile application, or carrying out various other tasks on the mobile phone, a user of such applications might be asked to provide a fingerprint scan before the application will allow him to access personal and sensitive data.
These technologies are frequently seen as essential for protecting people’s personal information and acting as helpful tools for spotting fraudulent transactions. As biometrics’ advantages and appeal grow in cyberspace, privacy activists’ and authorities’ worry about the potential for serious abuse of these technologies if such data is hacked also grow. Legislation aimed at preventing or adequately alerting consumers and regulatory authorities of the unauthorized disclosure and potential misuse of numerical or factual data linked with the user is how lawmakers have principally tackled the issue of data security in the current situation. An in-depth discussion of biometric data and the identification of related cybersecurity concerns are the goals of this study.
Background
What is Biometrics?
The Greek term bio, which means life, is the root of the word biometrics, which expresses measures of life. Depending on the circumstance, the definition of biometric data may change. However, when we talk about biometrics, we usually mean distinct and “measurable human biological and behavioural characteristics that can be used for identification or the automated methods of recognizing an individual based on those characteristics.” The term “biometric identifiers” is defined differently in different cases and countries, however, some examples of these “biometric identifiers” that are frequently used are “retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry.” In this sense, biometric data is “information derived from biometric identifiers.”
The Information Technology (Appropriate Security and Systems and
Personal Information or Sensitive Data) Regulations 2011 (Privacy
Regulations) provide clear guidelines regarding the use of personal information or data, including biometric data.
According to Article 2(b) of Law2011, “biometry” is defined as the use of technology for the measurement and analysis of human characteristics such as
“fingerprint”, “eye retina and iris”, “sound pattern”, “length pattern”,
“fingerprint” and “DNA” for authentication.
In addition, in Article 3(7) of the Personal Protection Law, biometric data is
defined as follows:
“Biometric data is facial images, fingerprints, iris scans or other similar data, physical or behavioral data that result from the measurement or function of the body, which enables or confirms the identification of the person”.
Data protection laws are required
The steps that must be taken to ensure that personal data is treated morally and appropriately are outlined in the data protection regulations.
- The collection, use, transfer, and disclosure of personal data, as well as its security, are all governed by data protection legislation.
- People are given access to their data, accountability requirements are established for companies that process it, and remedies are provided for improper or harmful processing.
- In addition to offering remedies for fraudulent activity and false profiles that can be created using stolen data, data protection laws do the same.
- Data protection laws are important because when information gets into the wrong hands, it can endanger people’s safety in several ways, including their economic security, physical safety, and personal integrity.
When is government interference with data acceptable?
Any governmental or non-governmental institution, organization, or agency shall retain the users’ data in confidence and strict confidence. However, under the conditions specified in Section 69 of the Information Technology Act of 2000, the government may intercept, monitor, and decrypt information created, sent, received, or stored in any computer resource.
Section 69
By Section 69 of the Information Technology Act of 2000, the government may request the disclosure of any information in the public interest if it could result in unlawful activities that endanger India’s national security, sovereignty, and integrity, or its defense, security, friendly relations, or public order.
Section 69A
For similar and territorial reasons (as noted above), the Central Government
may compel a government agency or agency to withhold public access to
information created, broadcast, received, stored, or held in a computer service
under section 69A. The term “intermediary” also includes search engines, online businesses, internet cafes, auction and payment sites,
telecommunications service providers, web service providers, internet service providers, and web hosting companies. However, such restricted access requests must be made in writing.
Section 69B
The national government may authenticate any government institution to monitor and gather traffic data or information generated, transmitted, or received over any computer resource by the publication of a notice in the Official Gazette. This is done to enhance data security and identify, analyze, and prevent invasion or computer contamination in the country. The ability to track and collect traffic statistics or information is granted by Section 69B.
The 2000 Information Technology Act
The Information Technology Act of 2000 was passed on October 17, 2000. The primary Indian law addressing e-commerce and cybercrime issues is this one. The Act was passed to combat cybercrime, support online transactions, and advance e-governance. Law’s main objectives are to diminish or completely eradicate cybercrimes while facilitating legitimate, trustworthy digital, computerized, and online operations.
The United Nations International Trade Law Commission (UNCITRAL)
adopted the UNCITRAL Electronic Commerce (E-commerce) Model Law in 1996 to comply with the laws of the countries. This
led the Government of India to create a law for India based on the UNCITRAL guidelines called the Information Technology Act, which was later amended and approved by the Ministry of Electronics and Information Technology. India has now become the 12th country to revise its cyber laws.
Why should biometric information be safeguarded?
- Biometric data characteristics require protection.
Because they are derived from biometrics, which is “unlike other unique identifiers” by their very nature, the intrinsic qualities of biometric data require protection. Unlike other types of sensitive information, biometrics are “biologically unique to the individual” and cannot be altered. As a result, if hacked, the user has little recourse, runs a higher risk of identity theft, and is probably going to steer clear of transactions that need a biometric.
- The use of biometric data raises cybersecurity concerns.
The preferred approach for defending individuals and businesses against hackers gradually evolves to include biometric authentication. Hackers use this data to commit fraud and identity theft. Nowadays, facial recognition, iris scans, and fingerprint scanners are widely used. Although there are many advantages to this technology in the fight against cybercrime, there are also some risks. To safeguard themselves and their digital information, people and organizations need to be aware of two key issues:
- People need to be aware that fraudsters trying to steal or falsify biometric data may “hack” fingerprint or facial recognition systems.
- Hospitals and other organizations that maintain patient medical records, blood samples, or DNA profiles should think about the security implications of a data leak.
- Protection of biometric data is essential for the fulfillment of the Right to Privacy.
The Puttaswamy v. Union of India (Puttaswamy I) ruling by the Supreme Court on August 24, 2017, shed some light on the issue of privacy as a fundamental right. India had a broad understanding of an implicit right to privacy before the ruling, but its limits were not clear.
On September 26, 2018, the Supreme Court maintained the constitutionality of the Aadhaar program, holding that your agreement to the sharing of biometric data under the “Aadhaar Act” does not breach your right to privacy. Aadhaar cards can still be used for a variety of other purposes, such as PAN cards and other types of identification, even though private entities are no longer permitted to use them for KYC authentication.
There is an urgent need to pass legislation protecting privacy rights due to the growth of technology, which has opened up new ways for the government to breach privacy through monitoring, profiling, and data gathering. In response to threats from international terrorism and rising worries about public safety, nations are using technology more frequently.
It is possible to analyze big data and digital footprints to find patterns, trends, and relationships, particularly those connected to human behavior and interactions. With new technical developments come new worries about how sensitive information can be processed and shared by the government, especially as engineers create more powerful algorithms.
The Aadhar Act has been deemed constitutional, but there should still be security measures in place. Data protection and privacy are covered in the Puttaswamy I judgment, which stipulates that “any collection of personal information that would impact privacy must have a law to back India must enact comprehensive privacy legislation that provides “judicial remedies and other enforcement mechanisms for preventing privacy violations” to ensure the success of Aadhaar. Given that the Indian Constitution declares the right to privacy to be safeguarded, this duty needs to be made simpler.
Biometric fraud: a growing threat
Spoofing is the practice of tricking a biometric security system using stolen or faked biometric information. A prosthetic silicon finger, for instance, may be created from a stolen fingerprint. (Similar to the Bareilly Case, which is described here.) This can be used to unlock a mobile device or payment system, giving the user access to their bank account. Facial recognition systems, which are frequently used to secure smartphones and tablets, have been demonstrated to be susceptible to being easily unlocked by merely showing the user’s photo.
Although businesses constantly develop their technology to stay ahead of hackers, consumers still leave their fingerprints and DNA, such as saliva on a coffee cup, everywhere they go, creating a variety of opportunities for fraud. In that case, you just get a new credit card and cancel the old one. However, it is virtually impossible to replace a duplicated and stolen fingerprint or DNA sample. Technology businesses must handle critical security issues highlighted by biometric security systems, such as how to safely store this information, prevent spoofing, and, most importantly, validate the user’s authenticity, to stay one step ahead of thieves.
Biometric information: India’s present government
Currently, information technology law, more specifically the “Information Technology Act, 2000 (IT Act)” and the laws outlined within it, governs the gathering, storing, and processing of biometric data. This document, “The Information Technology (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules),” describes the essential specifications that govern personal information and sensitive personal data, including biometric data. In addition, several other regulations cover specific use of biometric information, such as confirming a person’s identification using their Aadhaar card.
India’s regulation of biometric data
Currently, Indian law requires that while managing, dealing with, or owning biometric data, the same procedures must be followed when handling sensitive personal data or information be followed. However, it is crucial to keep in mind that the IT Act regulates biometric data because this sort of personal data can be collected and processed using a computer resource.
The Privacy Rules define “personal information” as “information relating to a natural person and that, alone or in combination with other information available, may be used to identify that person” (Personal Data). Additionally, “sensitive personal data or information” for an individual is a category of Personal Data about the person’s sensitive particulars that demand a higher level of confidentiality, like a password, specific financial data regarding a bank account or credit cards, or biometric data, among other things (Sensitive Data). Generally speaking, processing, handling, or dealing with any data or information deemed sensitive data is subject to stricter regulations and higher levels of protection under privacy laws. The protections that apply to sensitive data also apply to biometric data because it has been designated as sensitive data.
Additionally, a company managing biometric data is required to adhere to and put in place “appropriate security practices and procedures, the breach of which results in unjust loss or gain to the company or any individual, in which case the company is obliged to pay damages as compensation to the affected individual. The IT Act is an exception to the general rule for damages in India, and it stipulates that if the wrongful gain is proven, the violator entity must make restitution to the data subject without the need for the data subject to demonstrate that they suffered a wrongful loss due to the entity’s negligence in putting reasonable security practices and procedures in place when handling biometric data.
Personal Data Protection Bill and Biometric Data
The Indian government established an expert group under the leadership of Justice B. N. Srikrishna, and they sent a draught law to the government titled “Personal Data Protection Bill.” India’s data security policy is established by the Bill, which is anticipated to replace the existing system. Currently, the Bill is only in draught form. A modification to the current Privacy Rules is proposed in the form of a cross-border transfer of biometric data, with the transfer planned to follow model contract provisions agreed upon by the Data Protection Authority (envisioned under the Bill). The Bill also suggests keeping a copy of this data in a data center in India. Laws governing the processing or collection of biometric data are subject to penalties, which include purposely, wilfully, or carelessly exposing, transmitting, or commercially exploiting biometric data.
Conclusion
In conclusion, the Aadhaar Act establishes authentication as a specific use-case for biometric data, and the current Indian legal system classifies biometric data as sensitive data under the Privacy Rules. It is crucial to secure this kind of crucial data because it is unknown what applications and misuses biometric data may be put to.
References
1. Biometric Data: Regime In India – Privacy Protection – India. Accessed July 25, 2023. https://www.mondaq.com/india/privacy-protection/857992/biometric-data-regime-in-india#:~:text=To%20summarize%2C%20the%20current%20Indian,which%20is%20for%20authentication%20purposes.
2. Identity Management Institute®. Accessed July 25, 2023. https://identitymanagementinstitute.org/security-and-privacy-risks-of-biometric-authentication/.
3. ipleaders. Accessed July 25, 2023. https://blog.ipleaders.in/biometrics-and-cybersecurity/#What_is_biometrics.
4. LIFARS, a SecurityScorecard company. Accessed July 25, 2023. https://www.lifars.com/2020/05/biometrics-and-cybersecurity/.
5. SANS Institute. Accessed July 25, 2023. https://www.sans.org/white-papers/850/.
6. www.kaspersky.com. Accessed July 25, 2023. https://www.kaspersky.com/resource-center/definitions/biometrics.
